Full Disclosure mailing list archives
Re: Are consumers being misled by "phishing"?
From: mikeiscool <michaelslists () gmail com>
Date: Thu, 29 Jun 2006 10:14:30 +1000
On 6/29/06, n3td3v <n3td3v () gmail com> wrote:
I believe the industry coined up "phishing" to make more money out of social engineering. Its obvious now that both are over lapping. Only the other day Gadi Evron was trying to coin up a phrase for "voice phishing". Why can't we cut to the chase and drop the (ph)rases and call it straight forward SOCIAL ENGINEERING. I believe your average single mom and retired couple will easily become confused if we keep throwing new catch phrase buzzwords at them. If we could just call it social engineering, then the world would be a less confusing place for the average social engineering vitcim. When Yahoo had "paydirect" (an online bank in partnership with HSBC, which was later dropped by Yahoo!) there was an exploit for obtaining account information you wanted from any Yahoo Account. So hundreds of script kids had this exploit which was released by hackers in the localised Yahoo security community. The technique was to get the account information via the web-based exploit in the Yahoo Paydirect service, then phone up Yahoo Customer Care and give them the account information, and hey ho, customer care sends you a new password. Around a hundred script kids were phoning customer care. I alerted Yahoo what was going on, but Yahoo Customer Care didn't stop accepting partial Yahoo account info in exchange for a new password. It was to be one of the biggest compromises of Yahoo accounts. Yahoo didn't fix the bug straight away, so it led to hundreds of accounts being compromised and never recovered. After this incident, and still to this day Yahoo Customer Care are easily socially engineered via the telephone if you offer them partial yahoo account information. (shocking) Point being, web-to-voice social engineering has been around forever, just a few smart guys are trying to coin a phrase, which is only going to confuse the mess that is "phishing". The name phishing should never have been coined, and I warn the industry not to add on anymore variants to the phishing term, which is in all means just social engineering. Phishing was a big mistake by the industry, now the last thing we need is "voice phishing" or any other (ph)rases... See comments section of: http://www.digg.com/security/Say_Hello_to_voice_phishing_2
but calling it something different allows gadi to add another item on his list of things to complain about. we all know there are only three security issues: bugs, design faults, and social enginering. let the idiots have their terms, there is nothing you can do about it. -- mic _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Are consumers being misled by "phishing"? n3td3v (Jun 28)
- Re: Are consumers being misled by "phishing"? mikeiscool (Jun 28)
- Re: Are consumers being misled by "phishing"? Saeed Abu Nimeh (Jun 28)
- Re: Are consumers being misled by "phishing"? Wesley McGrew (Jun 28)
- Re: Are consumers being misled by "phishing"? Schanulleke (Jun 28)
- <Possible follow-ups>
- Re: Are consumers being misled by "phishing"? Gadi Evron (Jun 29)
- Re: Are consumers being misled by "phishing"? n3td3v (Jun 29)
- Re: Are consumers being misled by "phishing"? security curmudgeon (Jun 29)
- Re: Are consumers being misled by "phishing"? n3td3v (Jun 29)
- Re: Are consumers being misled by "phishing"? n3td3v (Jun 29)
- Re: Are consumers being misled by "phishing"? mikeiscool (Jun 28)
- Re: Are consumers being misled by "phishing"? GroundZero Security (Jun 29)
- Re: Are consumers being misled by "phishing"? Gadi Evron (Jun 29)
- Re: Are consumers being misled by "phishing"? teh kids (Jun 29)